Managed XDR

os.exe — malware analysis report

File info

Filename
os.exe
File type
PE32+ executable (console) x86-64, for MS Windows
File size
5.5 MB
First seen
Last seen

Environment

win7/x64 en

Hashes

SHA1
6514d2ea116f1e79855681c9dc65d4a919512c1b
SHA256
113f47a92b46a0264e83ddf9d664408e673530077a68cb7ebd58aae49b317fe9
MD5
7928dd6e164bbcba56a9935e9c2b77fc

Signatures

Execution

T1059.001 url_cmdline: Cmdline of process contains URL
T1059.003 url_cmdline: Cmdline of process contains URL
T1059.006 drops_python_dll: Drops python dll

Persistence

T1574 dropper_dll: Creates DLL, which is then loaded into the process

Privilege Escalation

T1574 dropper_dll: Creates DLL, which is then loaded into the process
T1134 opens_thread_token: Opens the access token associated with a thread
T1134 opens_process_token: Opens the access token associated with a process

Defense Evasion

T1218 suspicious_cmdline: Executes a suspicious command
T1027.002 packer_entropy: Probably contains compressed or encrypted data
T1134 opens_thread_token: Opens the access token associated with a thread
T1134 opens_process_token: Opens the access token associated with a process
T1574 dropper_dll: Creates DLL, which is then loaded into the process

Discovery

T1033 queries_username: Gets username
T1518 locates_browser: Attempts to identify where browsers are installed

Command and Control

T1105 cmdline_curl: Uses curl utility for network data transferring

Other

yara_rules: Static rules
creates_exe: Creates executable files in the file system
no_graphical_activity: No graphic activity
get_policy_info: Retrieves information about a Policy object
pe_overlay: PE file contains overlay